Find and fixUse the platformManage vulnerabilitiesSupply chain analysis

Supply chain analysis

Last updated: Mar 26, 2026

The Packages section within Inventory is designed to give you visibility into the dependencies used across all active repositories in a group, helping you monitor the status of these dependencies, regarding updates, security advisories and reachable vulnerabilities.

Know software dependencies list on the Fluid Attacks platform

Views of Packages

Packages

The Packages section shows you all the third-party dependencies used across the code repositories of your group. This is the information provided by the table:

  • Dependency: Name of the open-source component or dependency
  • Repository: The nickname your organization has given to the repository where the dependency is used
  • Version status: Indicates the version of the dependency currently in use by your project plus security-relevant status regarding the dependency version, where the following values are possible:
    • Reachable: A vulnerable element of the dependency is effectively called by your application, thus generating the risk of the vulnerability being exploited in the context of your application.
    • Vulnerable: Advisories have been issued for that dependency version.
    • Outdated: A newer version of the dependency is available, in which case the column shows the suggested upgrade.
    • Updated: The dependency is in its latest version.
    • Malware: Malicious software was detected in that dependency version.
  • Vulnerabilities: The number of detected vulnerabilities of each CVSS qualitative severity rating
  • License: The license of the software package, like ISC or MIT, which defines how your project can legally use its code
  • Last publish: Time since the latest version was released
  • Locations: The number of files within the repo that contain, or correspond to, the dependency

You can click on the columns button (Columns Icon) to open a window where you can reorder, show or hide columns.

Manage columns in packages on the Fluid Attacks platform

You can filter the dependencies by variables that are visible in the table as well as the following: the Docker images containing them, the package manager used, and the stage in which your project depends on the third-party dependencies.

Filter the Supply chain section on Fluid Attacks platform
Filter dependencies
Identify outdated dependencies on the Fluid Attacks platform
For example, apply filter by 'Version status'

Package Imports

In the Packages section, when you click on the links in the Locations column, you are taken to a table showing information of your files related to the selected third-party dependency.

See direct dependency in production on the Fluid Attacks platform
Use of the direct dependency in the production stage
See transitive dependency in development and prod on the Fluid Attacks platform
Use of the transitive dependency in the development and production stages

The table columns provide the following information:

  • Transitivity: Whether the listed vulnerable files in your software are directly or indirectly related to the third-party component in question:
    • D: Short for 'Direct'; the file in your project explicitly imports and uses the third-party dependency
    • T: Short for 'Transitive'; the third-party dependency is required by your direct dependencies, but not directly imported by the file in your project
    • U: Short for 'Undeterminable'; for this file, it is impossible to determine whether the dependency is direct or transitive
  • Locations: The file related to the third-party dependency
  • Specific: The exact line of code that shows the relation with the third-party dependency stated in Transitivity
  • Stage: The stage(s) in which your project depends on the third-party dependency:
    • Build: Your file depends on the third-party component only in the software development stage
    • Run: Your file depends on the third-party component in the live production environment
  • Vulnerabilities associated: The number of vulnerabilities related to the third-party dependency

By clicking on the code branch icon next to the T in each of your transitive dependencies, you will find the dependency path that goes from the direct to the affected transitive dependency in question ("grunt-if" and "y18n," respectively, in the following example image):

See dependency paths for transitive dependencies on the Fluid Attacks platform

By clicking on the vulnerabilities associated link, you get a pop-up window with the vulnerability details:

See dependency vulnerability on the Fluid Attacks platform
  • Vulnerability: The file path where the vulnerability is found
  • Specific: The exact line of code that shows the relation with the third-party dependency stated before in Transitivity
  • Advisory ID: The identifier for the vulnerability advisory or Common Vulnerabilities and Exposures (CVE) entry
  • Affected version: The dependency versions which are affected by the vulnerability
  • Severity: The qualitative severity rating according to the Common Vulnerability Scoring System (CVSS)
  • Reported: The link to the reported vulnerability on the platform

If you click on the downward-facing arrow, you can see a description taken from the advisory source and reference URLs.

View dependency advisory description on the Fluid Attacks platform

Supported package managers

Currently, supply chain analysis is supported for the following package managers:

  • Alpine Package Keeper (apk)
  • APK (Android Package)
  • Bundler (Ruby)
  • Cargo (Rust)
  • CocoaPods (Swift)
  • Composer (PHP)
  • Dart Pub (Dart)
  • dpkg (Debian)
  • Gradle (Java)
  • Hex (Elixir)
  • Maven (Java)
  • NPM (JavaScript)
  • NuGet (.NET)
  • Pacman (Arch Linux and derivatives)
  • PECL (PHP)
  • Pip (Python)
  • Pipenv (Python)
  • PNPM (JavaScript)
  • Poetry (Python)
  • RPM (Redhat)
  • Swift Package Manager (Swift)
  • YARN (JavaScript)

Supported Docker images

Currently, supply chain analysis is supported for the following Docker images:

  • Alpine Linux
  • Arch Linux
  • Distros based on Debian (Ubuntu, Debian)
  • Distros based on Red Hat or Fedora

Export SBOM

The inventory of open-source software in your project is available on the platform in two different formats: CycloneDX and SPDX. Each of these formats follow a standard to show dependencies, vulnerabilities and license information in an organized way.

You can easily export a software bill of materials (SBOM) for your dependencies following these steps:

  1. Within your group, navigate to Inventory > Packages.

  2. Click on the Export SBOM button.

    Find the SBOM generation button on the Fluid Attacks platform

  3. Select whether you want an SBOM for packages in your Git repository or Docker images.

    Select SBOM report type on the Fluid Attacks platform

  4. Select in which format you want to download the inventory of software dependencies: CycloneDX or SPDX.

    Choose SBOM format on the Fluid Attacks platform

  5. Select the file type for your SBOM: JSON or XML.

    Choose SBOM file type on the Fluid Attacks platform

  6. Select the resources (repos or Docker images) related to the project(s) of which you want to generate the SBOM. The window only shows active resources.

    Generate project SBOM on the Fluid Attacks platform

  7. Click on Generate.

  8. You then receive an email saying your SBOM is ready. Just go to the platform and click on Downloads to access the download option. If you chose more than one repository, you receive a separate email for each.

Download SBOM by Fluid Attacks

Examine evidence

In the Evidence section of the platform, Fluid Attacks provides supporting proof of the existence and exploitation of the corresponding type of vulnerability.

Reachability analysis

Fluid Attacks identifies your supply chain and helps you find reachable vulnerabilities in your code.

On this page

Views of PackagesPackagesPackage ImportsSupported package managersSupported Docker imagesExport SBOM